meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
soc:irt:playbooks:windows_disk [2026/06/16 10:53] titannetsoc:irt:playbooks:windows_disk [2026/06/16 14:45] (current) titannet
Line 18: Line 18:
 ==== Env variables ==== ==== Env variables ====
 <code bash> <code bash>
 +rm ~/.case.env
 pwd pwd
-WD=/case/working/folder && echo 'WD=$WD>> ~/.case.env +WD=/case/working/folder && echo "WD=$WD>> ~/.case.env 
-E=/case/working/folder/evidence/evidence.E01 && echo 'E=$E>> ~/.case.env+E=/case/working/folder/evidence/evidence.E01 && echo "E=$E>> ~/.case.env 
 </code> </code>
  
-==== Disk Image ====+==== Disk Image basics ====
  
  
Line 31: Line 33:
 # -p has 'pretty' & predictable folder name, fails if in use # -p has 'pretty' & predictable folder name, fails if in use
 # new tab or crtl-z # new tab or crtl-z
-DISK_C=<imount_dir> & echo 'DISK_C=$DISK_C>> ~/.case.env+DISK_C=<imount_dir> && echo "DISK_C=$DISK_C>> ~/.case.env
 </code> </code>
  
 +==== Start with plaso ====
 +
 +<code bash>
 +docker run -it --rm --entrypoint=/bin/bash -v ./:/work log2timeline/plaso
 +# docker run -it --rm --user :$(id -g) --entrypoint=/bin/bash -v ./:/work log2timeline/plaso
 +
 +# one step
 +psteal.py --source /work/evidence/<filename> -o dynamic,json_line -w /work/data/plaso_#.json
 +
 +# two step
 +log2timeline.py --storage-file /work/data/timeline.plaso /work/evidence/<filename>
 +psort.py -o json_line -w /work/output/plaso_out.json /work/data/timeline.plaso
 +#psort.py -o json_line -w /work/output/plaso_out.json /work/data/timeline.plaso
 +
 +
 +cp output/plaso_out.json tools/splunk/import/
 +cd tools/splunk
 +docker compose up -d
 +# -> localhost:8000, admin:password, settings->add->monitor->files->index_once->source_type=plaso
 +
 +</code>
  
 === Extended disk image anaylsis === === Extended disk image anaylsis ===
Line 41: Line 64:
 istat -o <offset> $E 5 # root node istat -o <offset> $E 5 # root node
 istat -o <offset> $E <inode from fsstat> istat -o <offset> $E <inode from fsstat>
 +
 +fls -o <offset> -m C: -r $E > data/bodyfile
 +mactime -b data/bodyfile -d -z UTC yyyy-mm-ddThh:mm:ss > output/disk_timeline.csv
 +
 +mactime -b data/bodyfile -d -z UTC yyyy-mm-ddThh:mm:ss..yyyy-mm-dd > output/disk_timeline.csv
 +
 +
 +# dissect
 +
 +target-query -f hostname,domain,version,ips,install_date,timezone $E
 +# much more useful for queries on multiple disks at once
 +
 +target-query -j -f services $E | jq -r '.name' 
 +# JSON output → jq
 +target-query --list | grep -iE 'userassist|shimcache|amcache|services|powershell_history|browser.history'
 </code> </code>